hazo_auth 6.1.1 → 7.0.2

package/dist/components/layouts/user_management/index.js

@@ -94,6 +94,7 @@ export function UserManagementLayout({ className, hrbacEnabled = false, userType
     const [users, setUsers] = useState([]);
     const [usersLoading, setUsersLoading] = useState(true);
     const [deactivateDialogOpen, setDeactivateDialogOpen] = useState(false);
+    const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
     const [resetPasswordDialogOpen, setResetPasswordDialogOpen] = useState(false);
     const [userDetailDialogOpen, setUserDetailDialogOpen] = useState(false);
     const [assignRolesDialogOpen, setAssignRolesDialogOpen] = useState(false);
@@ -217,6 +218,36 @@ export function UserManagementLayout({ className, hrbacEnabled = false, userType
             setUsersActionLoading(false);
         }
     };
+    // Handle delete user (hard-delete)
+    const handleDeleteUser = async () => {
+        if (!selectedUser)
+            return;
+        setUsersActionLoading(true);
+        try {
+            const response = await fetch(`${apiBasePath}/user_management/users`, {
+                method: "DELETE",
+                headers: { "Content-Type": "application/json" },
+                credentials: "include",
+                body: JSON.stringify({ user_id: selectedUser.id }),
+            });
+            const data = await response.json();
+            if (response.ok && data.success) {
+                setUsers((prev) => prev.filter((u) => u.id !== selectedUser.id));
+                setDeleteDialogOpen(false);
+                setSelectedUser(null);
+                toast.success("User deleted successfully");
+            }
+            else {
+                toast.error(data.error || "Failed to delete user");
+            }
+        }
+        catch (_a) {
+            toast.error("Failed to delete user");
+        }
+        finally {
+            setUsersActionLoading(false);
+        }
+    };
     // Handle reset password
     const handleResetPassword = async () => {
         if (!selectedUser)
@@ -535,7 +566,10 @@ export function UserManagementLayout({ className, hrbacEnabled = false, userType
                                                                                 }, variant: "outline", size: "sm", className: "cls_user_management_users_table_action_deactivate", children: _jsx(UserX, { className: "h-4 w-4" }) }) }), _jsx(TooltipContent, { children: _jsx("p", { children: "Deactivate" }) })] })), _jsxs(Tooltip, { children: [_jsx(TooltipTrigger, { asChild: true, children: _jsx(Button, { onClick: () => {
                                                                                     setSelectedUser(user);
                                                                                     setResetPasswordDialogOpen(true);
-                                                                                }, variant: "outline", size: "sm", className: "cls_user_management_users_table_action_reset_password", children: _jsx(KeyRound, { className: "h-4 w-4" }) }) }), _jsx(TooltipContent, { children: _jsx("p", { children: "Reset Password" }) })] })] }) }) })] }, user.id)))) })] }) })) })), showRolesTab && (_jsx(TabsContent, { value: "roles", className: "cls_user_management_tab_roles w-full", children: _jsx(RolesMatrix, { add_button_enabled: true, role_name_selection_enabled: false, onSave: (data) => {
+                                                                                }, variant: "outline", size: "sm", className: "cls_user_management_users_table_action_reset_password", children: _jsx(KeyRound, { className: "h-4 w-4" }) }) }), _jsx(TooltipContent, { children: _jsx("p", { children: "Reset Password" }) })] }), _jsxs(Tooltip, { children: [_jsx(TooltipTrigger, { asChild: true, children: _jsx(Button, { onClick: () => {
+                                                                                    setSelectedUser(user);
+                                                                                    setDeleteDialogOpen(true);
+                                                                                }, variant: "outline", size: "sm", className: "cls_user_management_users_table_action_delete text-destructive", children: _jsx(Trash2, { className: "h-4 w-4" }) }) }), _jsx(TooltipContent, { children: _jsx("p", { children: "Delete User" }) })] })] }) }) })] }, user.id)))) })] }) })) })), showRolesTab && (_jsx(TabsContent, { value: "roles", className: "cls_user_management_tab_roles w-full", children: _jsx(RolesMatrix, { add_button_enabled: true, role_name_selection_enabled: false, onSave: (data) => {
                                 // Data is already saved by RolesMatrix component
                                 console.log("Roles saved:", data);
                             } }) })), showPermissionsTab && (_jsx(TabsContent, { value: "permissions", className: "cls_user_management_tab_permissions w-full", children: _jsxs("div", { className: "cls_user_management_permissions_container flex flex-col gap-4 w-full", children: [_jsxs("div", { className: "cls_user_management_permissions_header flex items-center justify-between", children: [_jsx("div", { className: "cls_user_management_permissions_header_left flex items-center gap-2", children: _jsxs(Button, { onClick: () => setAddPermissionDialogOpen(true), variant: "default", size: "sm", className: "cls_user_management_permissions_add_button", children: [_jsx(Plus, { className: "h-4 w-4 mr-2" }), "Add Permission"] }) }), _jsx("div", { className: "cls_user_management_permissions_header_right", children: _jsx(Button, { onClick: handleMigratePermissions, disabled: migrateLoading, variant: "default", size: "sm", className: "cls_user_management_permissions_migrate_button", children: migrateLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Migrating..."] })) : ("Migrate config to database") }) })] }), permissionsLoading ? (_jsx("div", { className: "cls_user_management_permissions_loading flex items-center justify-center p-8", children: _jsx(Loader2, { className: "h-6 w-6 animate-spin text-slate-400" }) })) : (_jsx("div", { className: "cls_user_management_permissions_table_container border rounded-lg overflow-auto w-full", children: _jsxs(Table, { className: "cls_user_management_permissions_table w-full", children: [_jsx(TableHeader, { className: "cls_user_management_permissions_table_header", children: _jsxs(TableRow, { className: "cls_user_management_permissions_table_header_row", children: [_jsx(TableHead, { className: "cls_user_management_permissions_table_header_name", children: "Permission Name" }), _jsx(TableHead, { className: "cls_user_management_permissions_table_header_description", children: "Description" }), _jsx(TableHead, { className: "cls_user_management_permissions_table_header_source", children: "Source" }), _jsx(TableHead, { className: "cls_user_management_permissions_table_header_actions text-right", children: "Actions" })] }) }), _jsx(TableBody, { className: "cls_user_management_permissions_table_body", children: permissions.length === 0 ? (_jsx(TableRow, { className: "cls_user_management_permissions_table_row_empty", children: _jsx(TableCell, { colSpan: 4, className: "text-center text-muted-foreground py-8", children: "No permissions found." }) })) : (permissions.map((permission) => (_jsxs(TableRow, { className: "cls_user_management_permissions_table_row", children: [_jsx(TableCell, { className: `cls_user_management_permissions_table_cell_name font-medium ${permission.source === "db" ? "text-blue-600" : "text-purple-600"}`, children: permission.permission_name }), _jsx(TableCell, { className: "cls_user_management_permissions_table_cell_description", children: permission.description || "-" }), _jsx(TableCell, { className: "cls_user_management_permissions_table_cell_source", children: _jsx("span", { className: `px-2 py-1 rounded text-xs font-medium ${permission.source === "db"
@@ -547,7 +581,10 @@ export function UserManagementLayout({ className, hrbacEnabled = false, userType
                                                                             }, variant: "outline", size: "sm", className: "cls_user_management_permissions_table_action_edit", children: [_jsx(Edit, { className: "h-4 w-4 mr-1" }), "Edit"] }), _jsxs(Button, { onClick: () => handleDeletePermission(permission), disabled: permissionsActionLoading, variant: "outline", size: "sm", className: "cls_user_management_permissions_table_action_delete text-destructive", children: [_jsx(Trash2, { className: "h-4 w-4 mr-1" }), "Delete"] })] })) }) })] }, `${permission.source}-${permission.id}-${permission.permission_name}`)))) })] }) }))] }) })), showScopeHierarchyTab && (_jsx(TabsContent, { value: "scope_hierarchy", className: "cls_user_management_tab_scope_hierarchy w-full", children: _jsx(ScopeHierarchyTab, {}) })), showUserScopesTab && (_jsx(TabsContent, { value: "user_scopes", className: "cls_user_management_tab_user_scopes w-full", children: _jsx(UserScopesTab, {}) }))] })), _jsx(AlertDialog, { open: deactivateDialogOpen, onOpenChange: setDeactivateDialogOpen, children: _jsxs(AlertDialogContent, { className: "cls_user_management_deactivate_dialog", children: [_jsxs(AlertDialogHeader, { children: [_jsx(AlertDialogTitle, { children: "Deactivate User" }), _jsxs(AlertDialogDescription, { children: ["Are you sure you want to deactivate ", (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.name) || (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.email_address), "? They will not be able to log in until reactivated."] })] }), _jsxs(AlertDialogFooter, { className: "cls_user_management_deactivate_dialog_footer", children: [_jsx(AlertDialogAction, { onClick: handleDeactivateUser, disabled: usersActionLoading, className: "cls_user_management_deactivate_dialog_confirm", children: usersActionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Deactivating..."] })) : ("Deactivate") }), _jsx(AlertDialogCancel, { onClick: () => {
                                         setDeactivateDialogOpen(false);
                                         setSelectedUser(null);
-                                    }, className: "cls_user_management_deactivate_dialog_cancel", children: "Cancel" })] })] }) }), _jsx(AlertDialog, { open: resetPasswordDialogOpen, onOpenChange: setResetPasswordDialogOpen, children: _jsxs(AlertDialogContent, { className: "cls_user_management_reset_password_dialog", children: [_jsxs(AlertDialogHeader, { children: [_jsx(AlertDialogTitle, { children: "Reset Password" }), _jsxs(AlertDialogDescription, { children: ["Send a password reset email to ", selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.email_address, "? They will receive a link to reset their password."] })] }), _jsxs(AlertDialogFooter, { className: "cls_user_management_reset_password_dialog_footer", children: [_jsx(AlertDialogAction, { onClick: handleResetPassword, disabled: usersActionLoading, className: "cls_user_management_reset_password_dialog_confirm", children: usersActionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Sending..."] })) : ("Send Reset Email") }), _jsx(AlertDialogCancel, { onClick: () => {
+                                    }, className: "cls_user_management_deactivate_dialog_cancel", children: "Cancel" })] })] }) }), _jsx(AlertDialog, { open: deleteDialogOpen, onOpenChange: setDeleteDialogOpen, children: _jsxs(AlertDialogContent, { className: "cls_user_management_delete_dialog", children: [_jsxs(AlertDialogHeader, { children: [_jsx(AlertDialogTitle, { children: "Delete User" }), _jsxs(AlertDialogDescription, { children: ["This will permanently delete ", (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.name) || (selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.email_address), "'s account and all associated data. This cannot be undone."] })] }), _jsxs(AlertDialogFooter, { className: "cls_user_management_delete_dialog_footer", children: [_jsx(AlertDialogAction, { onClick: handleDeleteUser, disabled: usersActionLoading, className: "cls_user_management_delete_dialog_confirm bg-destructive text-destructive-foreground hover:bg-destructive/90", children: usersActionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Deleting..."] })) : (_jsxs(_Fragment, { children: [_jsx(Trash2, { className: "h-4 w-4 mr-2" }), "Delete"] })) }), _jsx(AlertDialogCancel, { onClick: () => {
+                                        setDeleteDialogOpen(false);
+                                        setSelectedUser(null);
+                                    }, className: "cls_user_management_delete_dialog_cancel", children: "Cancel" })] })] }) }), _jsx(AlertDialog, { open: resetPasswordDialogOpen, onOpenChange: setResetPasswordDialogOpen, children: _jsxs(AlertDialogContent, { className: "cls_user_management_reset_password_dialog", children: [_jsxs(AlertDialogHeader, { children: [_jsx(AlertDialogTitle, { children: "Reset Password" }), _jsxs(AlertDialogDescription, { children: ["Send a password reset email to ", selectedUser === null || selectedUser === void 0 ? void 0 : selectedUser.email_address, "? They will receive a link to reset their password."] })] }), _jsxs(AlertDialogFooter, { className: "cls_user_management_reset_password_dialog_footer", children: [_jsx(AlertDialogAction, { onClick: handleResetPassword, disabled: usersActionLoading, className: "cls_user_management_reset_password_dialog_confirm", children: usersActionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Sending..."] })) : ("Send Reset Email") }), _jsx(AlertDialogCancel, { onClick: () => {
                                         setResetPasswordDialogOpen(false);
                                         setSelectedUser(null);
                                     }, className: "cls_user_management_reset_password_dialog_cancel", children: "Cancel" })] })] }) }), _jsx(Dialog, { open: editPermissionDialogOpen, onOpenChange: setEditPermissionDialogOpen, children: _jsxs(DialogContent, { className: "cls_user_management_edit_permission_dialog", children: [_jsxs(DialogHeader, { children: [_jsx(DialogTitle, { children: "Edit Permission" }), _jsxs(DialogDescription, { children: ["Update the description for permission: ", editingPermission === null || editingPermission === void 0 ? void 0 : editingPermission.permission_name] })] }), _jsx("div", { className: "cls_user_management_edit_permission_dialog_content flex flex-col gap-4 py-4", children: _jsxs("div", { className: "cls_user_management_edit_permission_dialog_field flex flex-col gap-2", children: [_jsx(Label, { htmlFor: "permission_description", className: "cls_user_management_edit_permission_dialog_label", children: "Description" }), _jsx(Input, { id: "permission_description", value: editDescription, onChange: (e) => setEditDescription(e.target.value), placeholder: "Enter permission description", className: "cls_user_management_edit_permission_dialog_input" })] }) }), _jsxs(DialogFooter, { className: "cls_user_management_edit_permission_dialog_footer", children: [_jsx(Button, { onClick: handleEditPermission, disabled: permissionsActionLoading, variant: "default", className: "cls_user_management_edit_permission_dialog_save", children: permissionsActionLoading ? (_jsxs(_Fragment, { children: [_jsx(Loader2, { className: "h-4 w-4 mr-2 animate-spin" }), "Saving..."] })) : (_jsxs(_Fragment, { children: [_jsx(CircleCheck, { className: "h-4 w-4 mr-2" }), "Save"] })) }), _jsxs(Button, { onClick: () => {

package/dist/consent/consent_state.d.ts

@@ -0,0 +1,18 @@
+export interface ConsentState {
+    necessary: true;
+    functional: boolean;
+    analytics: boolean;
+    marketing: boolean;
+    version: 1;
+}
+export declare const HAZO_CONSENT_COOKIE_NAME = "hazo_consent_v1";
+/**
+ * Parse a URL-encoded JSON cookie value into a ConsentState.
+ * Returns null if the value is invalid or has an unexpected shape.
+ */
+export declare function parse_consent(value: string): ConsentState | null;
+/**
+ * Serialize a ConsentState to a URL-encoded JSON string suitable for cookie storage.
+ */
+export declare function serialize_consent(state: ConsentState): string;
+//# sourceMappingURL=consent_state.d.ts.map

package/dist/consent/consent_state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent_state.d.ts","sourceRoot":"","sources":["../../src/consent/consent_state.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,IAAI,CAAC;IAChB,UAAU,EAAE,OAAO,CAAC;IACpB,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,CAAC,CAAC;CACZ;AAED,eAAO,MAAM,wBAAwB,oBAAoB,CAAC;AAE1D;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CAgBhE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,YAAY,GAAG,MAAM,CAE7D"}

package/dist/consent/consent_state.js

@@ -0,0 +1,29 @@
+// file_description: isomorphic consent state types, parser, and serializer — no Node.js or browser-specific imports
+export const HAZO_CONSENT_COOKIE_NAME = "hazo_consent_v1";
+/**
+ * Parse a URL-encoded JSON cookie value into a ConsentState.
+ * Returns null if the value is invalid or has an unexpected shape.
+ */
+export function parse_consent(value) {
+    try {
+        const decoded = decodeURIComponent(value);
+        const parsed = JSON.parse(decoded);
+        // Validate shape
+        if (parsed.version !== 1 ||
+            parsed.necessary !== true ||
+            typeof parsed.functional !== "boolean" ||
+            typeof parsed.analytics !== "boolean" ||
+            typeof parsed.marketing !== "boolean")
+            return null;
+        return parsed;
+    }
+    catch (_a) {
+        return null;
+    }
+}
+/**
+ * Serialize a ConsentState to a URL-encoded JSON string suitable for cookie storage.
+ */
+export function serialize_consent(state) {
+    return encodeURIComponent(JSON.stringify(state));
+}

package/dist/consent/cookie_consent_banner.d.ts

@@ -0,0 +1,11 @@
+import { type ConsentState } from "./consent_state.js";
+interface CookieConsentBannerProps {
+    enableGTM?: boolean;
+    gtmContainerId?: string;
+    onChange?: (state: ConsentState) => void;
+    /** Default: "bottom" */
+    position?: "bottom" | "top";
+}
+export declare function CookieConsentBanner({ enableGTM, gtmContainerId, onChange, position, }: CookieConsentBannerProps): import("react/jsx-runtime").JSX.Element;
+export {};
+//# sourceMappingURL=cookie_consent_banner.d.ts.map

package/dist/consent/cookie_consent_banner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie_consent_banner.d.ts","sourceRoot":"","sources":["../../src/consent/cookie_consent_banner.tsx"],"names":[],"mappings":"AAIA,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAKpD,UAAU,wBAAwB;IAChC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,YAAY,KAAK,IAAI,CAAC;IACzC,wBAAwB;IACxB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAC;CAC7B;AAED,wBAAgB,mBAAmB,CAAC,EAClC,SAAS,EACT,cAAc,EACd,QAAQ,EACR,QAAmB,GACpB,EAAE,wBAAwB,2CA4E1B"}

package/dist/consent/cookie_consent_banner.js

@@ -0,0 +1,40 @@
+"use client";
+import { jsx as _jsx, jsxs as _jsxs, Fragment as _Fragment } from "react/jsx-runtime";
+// file_description: cookie consent banner — shown until the user makes a consent choice; renders manage modal afterward
+import { useEffect, useRef } from "react";
+import { useConsent } from "./use_consent.js";
+import { ConsentManageModal } from "./manage_modal.js";
+import { to_gtm_signals, gtm_default_payload } from "./gtm_mapping.js";
+export function CookieConsentBanner({ enableGTM, gtmContainerId, onChange, position = "bottom", }) {
+    const { consent, set_consent, open_manager } = useConsent();
+    const gtm_default_pushed = useRef(false);
+    // Push consent_default to GTM on first mount (before user has consented)
+    useEffect(() => {
+        if (!enableGTM || !gtmContainerId)
+            return;
+        if (gtm_default_pushed.current)
+            return;
+        gtm_default_pushed.current = true;
+        window.dataLayer = window.dataLayer || [];
+        window.dataLayer.push(Object.assign({ event: "consent_default" }, gtm_default_payload()));
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, []); // only on mount
+    // Push consent_update to GTM whenever the user's consent changes
+    useEffect(() => {
+        if (!consent)
+            return; // no state yet — don't push
+        onChange === null || onChange === void 0 ? void 0 : onChange(consent);
+        if (enableGTM && gtmContainerId) {
+            window.dataLayer = window.dataLayer || [];
+            window.dataLayer.push(Object.assign({ event: "consent_update" }, to_gtm_signals(consent)));
+        }
+        // onChange is intentionally excluded to avoid infinite loops with unstable prop refs
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, [consent, enableGTM, gtmContainerId]);
+    // Consent already captured — only render the modal so open_manager() still works
+    if (consent !== null) {
+        return _jsx(ConsentManageModal, {});
+    }
+    const positionClass = position === "top" ? "top-0" : "bottom-0";
+    return (_jsxs(_Fragment, { children: [_jsxs("div", { className: `fixed ${positionClass} left-0 right-0 z-40 bg-primary text-primary-foreground p-4 flex flex-wrap items-center gap-3 justify-between`, children: [_jsx("p", { className: "text-sm flex-1 min-w-[200px]", children: "We use cookies to improve your experience. By continuing, you agree to our use of cookies." }), _jsxs("div", { className: "flex gap-2 flex-wrap", children: [_jsx("button", { onClick: () => set_consent({ functional: false, analytics: false, marketing: false }), className: "px-3 py-1.5 text-xs bg-primary-foreground/20 hover:bg-primary-foreground/30 rounded text-primary-foreground", children: "Decline all" }), _jsx("button", { onClick: () => open_manager(), className: "px-3 py-1.5 text-xs bg-primary-foreground/20 hover:bg-primary-foreground/30 rounded text-primary-foreground", children: "Manage" }), _jsx("button", { onClick: () => set_consent({ functional: true, analytics: true, marketing: true }), className: "px-3 py-1.5 text-xs bg-primary-foreground rounded text-primary font-medium", children: "Accept all" })] })] }), _jsx(ConsentManageModal, {})] }));
+}

package/dist/consent/gtm_mapping.d.ts

@@ -0,0 +1,13 @@
+import type { ConsentState } from "./consent_state";
+export type GtmSignal = "security_storage" | "functionality_storage" | "personalization_storage" | "analytics_storage" | "ad_storage" | "ad_user_data" | "ad_personalization";
+/**
+ * Maps a ConsentState to GTM consent signals.
+ * security_storage is always granted; other signals follow the user's category choices.
+ */
+export declare function to_gtm_signals(state: ConsentState): Record<GtmSignal, "granted" | "denied">;
+/**
+ * Default GTM consent payload before the user has made a choice.
+ * security_storage is granted; all others are denied.
+ */
+export declare function gtm_default_payload(): Record<GtmSignal, "granted" | "denied">;
+//# sourceMappingURL=gtm_mapping.d.ts.map

package/dist/consent/gtm_mapping.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gtm_mapping.d.ts","sourceRoot":"","sources":["../../src/consent/gtm_mapping.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,MAAM,MAAM,SAAS,GACjB,kBAAkB,GAClB,uBAAuB,GACvB,yBAAyB,GACzB,mBAAmB,GACnB,YAAY,GACZ,cAAc,GACd,oBAAoB,CAAC;AAEzB;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,YAAY,GAAG,MAAM,CAAC,SAAS,EAAE,SAAS,GAAG,QAAQ,CAAC,CAU3F;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAAC,SAAS,EAAE,SAAS,GAAG,QAAQ,CAAC,CAU7E"}

package/dist/consent/gtm_mapping.js

@@ -0,0 +1,30 @@
+/**
+ * Maps a ConsentState to GTM consent signals.
+ * security_storage is always granted; other signals follow the user's category choices.
+ */
+export function to_gtm_signals(state) {
+    return {
+        security_storage: "granted", // always granted
+        functionality_storage: state.functional ? "granted" : "denied",
+        personalization_storage: state.functional ? "granted" : "denied",
+        analytics_storage: state.analytics ? "granted" : "denied",
+        ad_storage: state.marketing ? "granted" : "denied",
+        ad_user_data: state.marketing ? "granted" : "denied",
+        ad_personalization: state.marketing ? "granted" : "denied",
+    };
+}
+/**
+ * Default GTM consent payload before the user has made a choice.
+ * security_storage is granted; all others are denied.
+ */
+export function gtm_default_payload() {
+    return {
+        security_storage: "granted",
+        functionality_storage: "denied",
+        personalization_storage: "denied",
+        analytics_storage: "denied",
+        ad_storage: "denied",
+        ad_user_data: "denied",
+        ad_personalization: "denied",
+    };
+}

package/dist/consent/index.d.ts

@@ -0,0 +1,7 @@
+export * from "./consent_state.js";
+export * from "./cookie_consent_banner.js";
+export * from "./use_consent.js";
+export * from "./read_consent.js";
+export * from "./gtm_mapping.js";
+export * from "./manage_modal.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/consent/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/consent/index.ts"],"names":[],"mappings":"AACA,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,eAAe,CAAC;AAC9B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,eAAe,CAAC;AAC9B,cAAc,gBAAgB,CAAC"}

package/dist/consent/index.js

@@ -0,0 +1,7 @@
+// file_description: barrel export for the hazo_auth consent module
+export * from "./consent_state.js";
+export * from "./cookie_consent_banner.js";
+export * from "./use_consent.js";
+export * from "./read_consent.js";
+export * from "./gtm_mapping.js";
+export * from "./manage_modal.js";

package/dist/consent/manage_modal.d.ts

@@ -0,0 +1,2 @@
+export declare function ConsentManageModal(): import("react/jsx-runtime").JSX.Element;
+//# sourceMappingURL=manage_modal.d.ts.map

package/dist/consent/manage_modal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manage_modal.d.ts","sourceRoot":"","sources":["../../src/consent/manage_modal.tsx"],"names":[],"mappings":"AAOA,wBAAgB,kBAAkB,4CA0GjC"}

package/dist/consent/manage_modal.js

@@ -0,0 +1,33 @@
+"use client";
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+// file_description: modal dialog for managing individual cookie consent categories
+import { useEffect, useState } from "react";
+import * as Dialog from "@radix-ui/react-dialog";
+import { useConsent } from "./use_consent.js";
+export function ConsentManageModal() {
+    const { consent, set_consent } = useConsent();
+    const [open, setOpen] = useState(false);
+    const [local, setLocal] = useState({
+        functional: false,
+        analytics: false,
+        marketing: false,
+    });
+    // Listen for the open event dispatched by open_manager()
+    useEffect(() => {
+        const handle = () => {
+            setLocal({
+                functional: !!(consent === null || consent === void 0 ? void 0 : consent.functional),
+                analytics: !!(consent === null || consent === void 0 ? void 0 : consent.analytics),
+                marketing: !!(consent === null || consent === void 0 ? void 0 : consent.marketing),
+            });
+            setOpen(true);
+        };
+        window.addEventListener("hazo_auth:open_consent_manager", handle);
+        return () => window.removeEventListener("hazo_auth:open_consent_manager", handle);
+    }, [consent]);
+    const save = () => {
+        set_consent(Object.assign(Object.assign({}, local), { necessary: true, version: 1 }));
+        setOpen(false);
+    };
+    return (_jsx(Dialog.Root, { open: open, onOpenChange: setOpen, children: _jsxs(Dialog.Portal, { children: [_jsx(Dialog.Overlay, { className: "fixed inset-0 bg-black/50 z-50" }), _jsxs(Dialog.Content, { className: "fixed top-1/2 left-1/2 -translate-x-1/2 -translate-y-1/2 bg-background rounded-lg p-6 z-50 w-full max-w-md shadow-lg", children: [_jsx(Dialog.Title, { className: "text-lg font-semibold mb-4", children: "Cookie preferences" }), _jsxs("div", { className: "flex items-center justify-between py-3 border-b", children: [_jsxs("div", { children: [_jsx("p", { className: "font-medium", children: "Necessary" }), _jsx("p", { className: "text-sm text-muted-foreground", children: "Required for the site to function" })] }), _jsx("input", { type: "checkbox", checked: true, disabled: true, className: "h-4 w-4" })] }), _jsxs("div", { className: "flex items-center justify-between py-3 border-b", children: [_jsxs("div", { children: [_jsx("p", { className: "font-medium", children: "Functional" }), _jsx("p", { className: "text-sm text-muted-foreground", children: "Remembers your preferences" })] }), _jsx("input", { type: "checkbox", checked: local.functional, onChange: (e) => setLocal((p) => (Object.assign(Object.assign({}, p), { functional: e.target.checked }))), className: "h-4 w-4" })] }), _jsxs("div", { className: "flex items-center justify-between py-3 border-b", children: [_jsxs("div", { children: [_jsx("p", { className: "font-medium", children: "Analytics" }), _jsx("p", { className: "text-sm text-muted-foreground", children: "Helps us understand how you use the site" })] }), _jsx("input", { type: "checkbox", checked: local.analytics, onChange: (e) => setLocal((p) => (Object.assign(Object.assign({}, p), { analytics: e.target.checked }))), className: "h-4 w-4" })] }), _jsxs("div", { className: "flex items-center justify-between py-3", children: [_jsxs("div", { children: [_jsx("p", { className: "font-medium", children: "Marketing" }), _jsx("p", { className: "text-sm text-muted-foreground", children: "Used for targeted advertising" })] }), _jsx("input", { type: "checkbox", checked: local.marketing, onChange: (e) => setLocal((p) => (Object.assign(Object.assign({}, p), { marketing: e.target.checked }))), className: "h-4 w-4" })] }), _jsxs("div", { className: "mt-6 flex gap-3 justify-end", children: [_jsx("button", { className: "px-4 py-2 text-sm border rounded-md hover:bg-muted", onClick: () => setOpen(false), children: "Cancel" }), _jsx("button", { className: "px-4 py-2 text-sm bg-primary text-primary-foreground rounded-md hover:opacity-90", onClick: save, children: "Save preferences" })] })] })] }) }));
+}

package/dist/consent/read_consent.d.ts

@@ -0,0 +1,15 @@
+import { type ConsentState } from "./consent_state.js";
+/** Structural type covering both `Headers` and Next.js `ReadonlyHeaders`. */
+type AnyHeaders = {
+    get(name: string): string | null;
+};
+/**
+ * Reads the consent state from request headers (server-side).
+ * Returns null if the consent cookie is absent or contains invalid data.
+ *
+ * Prefix support (Phase 7): when cookie_prefix config is set, the cookie name
+ * is `${prefix}hazo_consent_v1`. Currently uses the base name only.
+ */
+export declare function read_consent(headers: AnyHeaders): ConsentState | null;
+export {};
+//# sourceMappingURL=read_consent.d.ts.map

package/dist/consent/read_consent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"read_consent.d.ts","sourceRoot":"","sources":["../../src/consent/read_consent.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,YAAY,EAA2C,MAAM,iBAAiB,CAAC;AAE7F,6EAA6E;AAC7E,KAAK,UAAU,GAAG;IAAE,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC;AAEvD;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,UAAU,GAAG,YAAY,GAAG,IAAI,CAcrE"}

package/dist/consent/read_consent.js

@@ -0,0 +1,23 @@
+// file_description: server-side helper that reads consent state from request headers
+import { HAZO_CONSENT_COOKIE_NAME, parse_consent } from "./consent_state.js";
+/**
+ * Reads the consent state from request headers (server-side).
+ * Returns null if the consent cookie is absent or contains invalid data.
+ *
+ * Prefix support (Phase 7): when cookie_prefix config is set, the cookie name
+ * is `${prefix}hazo_consent_v1`. Currently uses the base name only.
+ */
+export function read_consent(headers) {
+    const cookie_header = headers.get("cookie");
+    if (!cookie_header)
+        return null;
+    const cookie_name = HAZO_CONSENT_COOKIE_NAME;
+    const match = cookie_header
+        .split(";")
+        .map((c) => c.trim())
+        .find((c) => c.startsWith(`${cookie_name}=`));
+    if (!match)
+        return null;
+    const value = match.slice(cookie_name.length + 1);
+    return parse_consent(value);
+}

package/dist/consent/use_consent.d.ts

@@ -0,0 +1,7 @@
+import { type ConsentState } from "./consent_state.js";
+export declare function useConsent(): {
+    consent: ConsentState | null;
+    set_consent: (patch: Partial<ConsentState>) => void;
+    open_manager: () => void;
+};
+//# sourceMappingURL=use_consent.d.ts.map

package/dist/consent/use_consent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"use_consent.d.ts","sourceRoot":"","sources":["../../src/consent/use_consent.ts"],"names":[],"mappings":"AAIA,OAAO,EACL,KAAK,YAAY,EAIlB,MAAM,iBAAiB,CAAC;AAmBzB,wBAAgB,UAAU,IAAI;IAC5B,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;IAC7B,WAAW,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC;IACpD,YAAY,EAAE,MAAM,IAAI,CAAC;CAC1B,CAyCA"}

package/dist/consent/use_consent.js

@@ -0,0 +1,55 @@
+"use client";
+// file_description: client hook to read and update the user's cookie consent state
+import { useState, useEffect, useCallback } from "react";
+import { HAZO_CONSENT_COOKIE_NAME, parse_consent, serialize_consent, } from "./consent_state.js";
+function read_from_cookie() {
+    if (typeof document === "undefined")
+        return null;
+    const match = document.cookie
+        .split(";")
+        .map((c) => c.trim())
+        .find((c) => c.startsWith(`${HAZO_CONSENT_COOKIE_NAME}=`));
+    if (!match)
+        return null;
+    return parse_consent(match.slice(HAZO_CONSENT_COOKIE_NAME.length + 1));
+}
+function write_cookie(state) {
+    const value = serialize_consent(state);
+    const maxAge = 13 * 30 * 24 * 60 * 60; // ~13 months in seconds
+    const secure = location.protocol === "https:" ? "; Secure" : "";
+    document.cookie = `${HAZO_CONSENT_COOKIE_NAME}=${value}; Max-Age=${maxAge}; SameSite=Lax; Path=/${secure}`;
+}
+export function useConsent() {
+    const [consent, setConsent] = useState(null);
+    useEffect(() => {
+        // Hydrate from cookie on mount
+        setConsent(read_from_cookie());
+        // Subscribe to cross-component updates dispatched by other useConsent instances.
+        // Read state from event.detail to avoid a redundant cookie parse and prevent
+        // a double re-render when the same hook instance dispatches the event itself.
+        const handle_update = (e) => {
+            const detail = e.detail;
+            setConsent(detail);
+        };
+        window.addEventListener("hazo_auth:consent_update", handle_update);
+        return () => window.removeEventListener("hazo_auth:consent_update", handle_update);
+    }, []);
+    const set_consent = useCallback((patch) => {
+        const base = consent !== null && consent !== void 0 ? consent : {
+            necessary: true,
+            functional: false,
+            analytics: false,
+            marketing: false,
+            version: 1,
+        };
+        // necessary and version are always forced to their fixed values
+        const next = Object.assign(Object.assign(Object.assign({}, base), patch), { necessary: true, version: 1 });
+        write_cookie(next);
+        setConsent(next);
+        window.dispatchEvent(new CustomEvent("hazo_auth:consent_update", { detail: next }));
+    }, [consent]);
+    const open_manager = useCallback(() => {
+        window.dispatchEvent(new CustomEvent("hazo_auth:open_consent_manager"));
+    }, []);
+    return { consent, set_consent, open_manager };
+}

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 export * from "./contexts/hazo_auth_provider.js";
 export * from "./contexts/hazo_auth_config.js";
 export * from "./components/index.js";
-export type { HazoAuthUser, HazoAuthResult, HazoAuthError, HazoAuthOptions, ScopeDetails, SelectedScope, TenantAuthOptions, TenantAuthResult, RequiredTenantAuthResult, } from "./lib/auth/auth_types";
+export type { HazoAuthUser, HazoAuthResult, HazoAuthError, HazoAuthOptions, ScopeDetails, TenantOrganization, TenantAuthOptions, TenantAuthResult, RequiredTenantAuthResult, } from "./lib/auth/auth_types";
 export { AuthenticationRequiredError, TenantRequiredError, TenantAccessDeniedError, } from "./lib/auth/auth_types.js";
 export { cn, merge_class_names } from "./lib/utils.js";
 export { HAZO_AUTH_PERMISSIONS, ALL_ADMIN_PERMISSIONS } from "./lib/constants.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAQA,cAAc,+BAA+B,CAAC;AAC9C,cAAc,6BAA6B,CAAC;AAG5C,cAAc,oBAAoB,CAAC;AAGnC,YAAY,EACV,YAAY,EACZ,cAAc,EACd,aAAa,EACb,eAAe,EACf,YAAY,EACZ,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,2BAA2B,EAC3B,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAQA,cAAc,+BAA+B,CAAC;AAC9C,cAAc,6BAA6B,CAAC;AAG5C,cAAc,oBAAoB,CAAC;AAGnC,YAAY,EACV,YAAY,EACZ,cAAc,EACd,aAAa,EACb,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,2BAA2B,EAC3B,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/lib/auth/auth_types.d.ts

@@ -103,11 +103,10 @@ export type ScopeDetails = {
     tagline: string | null;
 };
 /**
- * Currently selected scope information returned in tenant auth results.
- * Simplified view of the scope chosen via the scope-selection cookie or
- * `X-Hazo-Scope-Id` header.
+ * Tenant/organization information returned in tenant auth results
+ * Simplified view of scope for API responses
  */
-export type SelectedScope = {
+export type TenantOrganization = {
     id: string;
     name: string;
     slug: string | null;
@@ -145,9 +144,9 @@ export type TenantAuthResult = {
     permissions: string[];
     permission_ok: boolean;
     missing_permissions?: string[];
-    selected_scope: SelectedScope | null;
-    /** Shorthand for selected_scope?.id - commonly used for DB query filters. */
-    selected_scope_id: string | null;
+    organization: TenantOrganization | null;
+    /** Shorthand for organization?.id - commonly used for DB query filters */
+    organization_id: string | null;
     user_scopes: ScopeDetails[];
     scope_ok?: boolean;
     scope_access_via?: ScopeAccessInfo;
@@ -156,19 +155,19 @@ export type TenantAuthResult = {
     user: null;
     permissions: [];
     permission_ok: false;
-    selected_scope: null;
-    /** Shorthand for selected_scope?.id - commonly used for DB query filters. */
-    selected_scope_id: null;
+    organization: null;
+    /** Shorthand for organization?.id - commonly used for DB query filters */
+    organization_id: null;
     user_scopes: [];
     scope_ok?: false;
 };
 /**
- * Guaranteed authenticated result with non-null selected_scope.
- * Returned by require_tenant_auth when validation passes.
+ * Guaranteed authenticated result with non-null organization
+ * Returned by require_tenant_auth when validation passes
  */
 export type RequiredTenantAuthResult = TenantAuthResult & {
     authenticated: true;
-    selected_scope: SelectedScope;
+    organization: TenantOrganization;
 };
 /**
  * Base error class for all hazo_auth errors

package/dist/lib/auth/auth_types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth_types.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_types.ts"],"names":[],"mappings":"AAWA;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAEnC,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC/C,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,cAAc,GACtB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE/B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IAE/B,mBAAmB,EAAE,MAAM,EAAE;IAC7B,gBAAgB,EAAE,MAAM,EAAE;IAC1B,oBAAoB,EAAE,MAAM,EAAE;IAC9B,qBAAqB,CAAC,EAAE,MAAM;IAC9B,uBAAuB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;gBAJ7C,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,oBAAoB,EAAE,MAAM,EAAE,EAC9B,qBAAqB,CAAC,EAAE,MAAM,YAAA,EAC9B,uBAAuB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,YAAA;CAKvD;AAED;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IAEhC,QAAQ,EAAE,MAAM;IAChB,WAAW,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;gBAD7D,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAKvE;AAID;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAEhB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,EAAE;QACT,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;QAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;KACxB,CAAC;CACH,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,iBAAiB,GAAG,eAAe,GAAG;IAChD;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,gBAAgB,GACxB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,cAAc,EAAE,aAAa,GAAG,IAAI,CAAC;IACrC,6EAA6E;IAC7E,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,WAAW,EAAE,YAAY,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,cAAc,EAAE,IAAI,CAAC;IACrB,6EAA6E;IAC7E,iBAAiB,EAAE,IAAI,CAAC;IACxB,WAAW,EAAE,EAAE,CAAC;IAChB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;;GAGG;AACH,MAAM,MAAM,wBAAwB,GAAG,gBAAgB,GAAG;IACxD,aAAa,EAAE,IAAI,CAAC;IACpB,cAAc,EAAE,aAAa,CAAC;CAC/B,CAAC;AAIF;;;GAGG;AACH,qBAAa,aAAc,SAAQ,KAAK;aAGpB,IAAI,EAAE,MAAM;aACZ,WAAW,EAAE,MAAM;gBAFnC,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM;CAKtC;AAED;;GAEG;AACH,qBAAa,2BAA4B,SAAQ,aAAa;gBAChD,OAAO,GAAE,MAAkC;CAIxD;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,aAAa;aAGlC,WAAW,EAAE,YAAY,EAAE;gBAD3C,OAAO,GAAE,MAAkC,EAC3B,WAAW,GAAE,YAAY,EAAO;CAKnD;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,aAAa;aAEtC,QAAQ,EAAE,MAAM;aAChB,WAAW,EAAE,YAAY,EAAE;gBAD3B,QAAQ,EAAE,MAAM,EAChB,WAAW,GAAE,YAAY,EAAO;CAKnD"}
+{"version":3,"file":"auth_types.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/auth_types.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAEnC,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC/C,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,cAAc,GACtB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE/B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IAE/B,mBAAmB,EAAE,MAAM,EAAE;IAC7B,gBAAgB,EAAE,MAAM,EAAE;IAC1B,oBAAoB,EAAE,MAAM,EAAE;IAC9B,qBAAqB,CAAC,EAAE,MAAM;IAC9B,uBAAuB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;gBAJ7C,mBAAmB,EAAE,MAAM,EAAE,EAC7B,gBAAgB,EAAE,MAAM,EAAE,EAC1B,oBAAoB,EAAE,MAAM,EAAE,EAC9B,qBAAqB,CAAC,EAAE,MAAM,YAAA,EAC9B,uBAAuB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,YAAA;CAKvD;AAED;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IAEhC,QAAQ,EAAE,MAAM;IAChB,WAAW,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;gBAD7D,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAKvE;AAID;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAEhB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,EAAE;QACT,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;QAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;KACxB,CAAC;CACH,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,iBAAiB,GAAG,eAAe,GAAG;IAChD;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,gBAAgB,GACxB;IACE,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,EAAE,kBAAkB,GAAG,IAAI,CAAC;IACxC,0EAA0E;IAC1E,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,WAAW,EAAE,YAAY,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC,GACD;IACE,aAAa,EAAE,KAAK,CAAC;IACrB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,EAAE,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC;IACrB,YAAY,EAAE,IAAI,CAAC;IACnB,0EAA0E;IAC1E,eAAe,EAAE,IAAI,CAAC;IACtB,WAAW,EAAE,EAAE,CAAC;IAChB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AAEN;;;GAGG;AACH,MAAM,MAAM,wBAAwB,GAAG,gBAAgB,GAAG;IACxD,aAAa,EAAE,IAAI,CAAC;IACpB,YAAY,EAAE,kBAAkB,CAAC;CAClC,CAAC;AAIF;;;GAGG;AACH,qBAAa,aAAc,SAAQ,KAAK;aAGpB,IAAI,EAAE,MAAM;aACZ,WAAW,EAAE,MAAM;gBAFnC,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM;CAKtC;AAED;;GAEG;AACH,qBAAa,2BAA4B,SAAQ,aAAa;gBAChD,OAAO,GAAE,MAAkC;CAIxD;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,aAAa;aAGlC,WAAW,EAAE,YAAY,EAAE;gBAD3C,OAAO,GAAE,MAAkC,EAC3B,WAAW,GAAE,YAAY,EAAO;CAKnD;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,aAAa;aAEtC,QAAQ,EAAE,MAAM;aAChB,WAAW,EAAE,YAAY,EAAE;gBAD3B,QAAQ,EAAE,MAAM,EAChB,WAAW,GAAE,YAAY,EAAO;CAKnD"}

package/dist/lib/auth/auth_types.js

@@ -1,12 +1,4 @@
 // file_description: Type definitions and error classes for hazo_get_auth utility
-//
-// Naming note (v6.0.0): the field previously called `organization` (and
-// `organization_id`) on `TenantAuthResult` was renamed to `selected_scope`
-// (and `selected_scope_id`), and the type `TenantOrganization` was renamed
-// to `SelectedScope`. The multi-tenancy model is scopes throughout; the
-// old name was a legacy synonym for "the currently selected scope" derived
-// from the scope-selection cookie/header. No deprecation shim is provided.
-//
 // section: types
 /**
  * Custom error class for permission denials

package/dist/lib/auth/hazo_get_tenant_auth.server.d.ts

@@ -13,21 +13,20 @@ export declare function extract_scope_id_from_request(request: NextRequest, opti
  * Tenant-aware authentication function
  *
  * Extracts tenant/scope context from request headers or cookies,
- * validates access, and returns enriched result including the currently
- * selected scope.
+ * validates access, and returns enriched result with organization info.
  *
  * Header priority: X-Hazo-Scope-Id > Cookie
  *
  * @param request - NextRequest object
  * @param options - TenantAuthOptions for customization
- * @returns TenantAuthResult with user, permissions, selected_scope, and user_scopes
+ * @returns TenantAuthResult with user, permissions, organization, and user_scopes
  *
  * @example
  * ```typescript
  * const auth = await hazo_get_tenant_auth(request);
- * if (auth.authenticated && auth.selected_scope) {
+ * if (auth.authenticated && auth.organization) {
  *   // Access tenant-specific data
- *   const data = await getData(auth.selected_scope.id);
+ *   const data = await getData(auth.organization.id);
  * }
  * ```
  */
@@ -42,15 +41,15 @@ export declare function hazo_get_tenant_auth(request: NextRequest, options?: Ten
  *
  * @param request - NextRequest object
  * @param options - TenantAuthOptions for customization
- * @returns RequiredTenantAuthResult with guaranteed non-null selected_scope
+ * @returns RequiredTenantAuthResult with guaranteed non-null organization
  * @throws AuthenticationRequiredError, TenantRequiredError, TenantAccessDeniedError
  *
  * @example
  * ```typescript
  * try {
  *   const auth = await require_tenant_auth(request);
- *   // auth.selected_scope is guaranteed non-null here
- *   const data = await getData(auth.selected_scope.id);
+ *   // auth.organization is guaranteed non-null here
+ *   const data = await getData(auth.organization.id);
  * } catch (error) {
  *   if (error instanceof HazoAuthError) {
  *     return NextResponse.json(

package/dist/lib/auth/hazo_get_tenant_auth.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hazo_get_tenant_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_tenant_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAO1C,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,EAGzB,MAAM,cAAc,CAAC;AAqBtB;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,WAAW,EACpB,OAAO,EAAE,iBAAiB,GACzB,MAAM,GAAG,SAAS,CAYpB;AAiCD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CA0F3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,wBAAwB,CAAC,CA0BnC"}
+{"version":3,"file":"hazo_get_tenant_auth.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/hazo_get_tenant_auth.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAO1C,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,EAGzB,MAAM,cAAc,CAAC;AAqBtB;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,WAAW,EACpB,OAAO,EAAE,iBAAiB,GACzB,MAAM,GAAG,SAAS,CAYpB;AAiCD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CA0F3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,WAAW,EACpB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,wBAAwB,CAAC,CA0BnC"}